ICS security trends

As the Industrial Internet of Things (IIoT) becomes more prevalent, there is a greater risk for intentional and unintentional cyber security breaches. Industrial control system (ICS) security should focus on advanced security-focused products; security as an attribute of all Ethernet devices; and further adoption of defense-in-depth as major trends going forward.
By Heather MacKenzie, Jeff Lund January 22, 2016

Cyber security has been increasing in importance in industrial facilities since the discovery of Stuxnet in 2010. More recently, there’s been the rise of the Industrial Internet of Things (IIoT) with its increased numbers of connected devices and links to the Internet and business systems.

More IIoT-related entry points to industrial communications infrastructure means more cyber risk from not only intentional attacks but also from unintentional sources such as device failure, operator error, and malware. In manufacturing and process control environments this means higher risk to physical devices and processes and the possibility of physical, not just digital, damage.

What does this imply for industrial control system (ICS) security going forward? There are three trends to consider: advanced security-focused products; security as an attribute of all Ethernet devices; and further adoption of defense-in-depth. 

Advanced industrial security-focused products

One trend is increased cyber security risk, which is leading vendors to develop advanced technologies that deal with the particular challenges of control system security. One aspect of these challenges is the widespread use of ICS communication protocols not designed with security in mind. Securing them without impacting their control functionality requires advanced technology.

An example is the deep packet inspection (DPI) capability. On the one hand, intrusion detection systems (IDS) monitor only for broad categories of basic attacks. On the other hand, most firewalls use access control lists or stateful firewalls to either allow or block all messages of an industrial protocol such as Modbus TCP.

DPI, however, digs deeper to understand what the protocol is being used for and provide protection, not just detection. DPI does this, for instance, by determining if a Modbus message is read or write and dropping all write messages, or only allowing writes of particular registers. This allows the protection to be exactly tailored to the application, allowing essential control messages to communicate as required while blocking potentially dangerous or inappropriate messages.

Security built-in to Ethernet networking devices

Ethernet networking devices such as industrial routers, switches, and firewalls are at every connection point of the ICS network. This makes them ideal security sentinels to identify and control traffic entering and leaving at all points of the communications infrastructure. However, studies show most industrial cyber incidents are unintentional. These incidents occur due to human error, a software or device flaw, or an inadvertent introduction of malware infection. This means ICS security needs to protect from "friends and neighbors" as well as "enemies." A focused effort to evolve all Ethernet devices to play an active role in their own security can help mitigate some of these risks.

Further adoption of defense-in-depth best practices

The principles of defense-in-depth, as per ISA IEC 62443 (formerly ISA 99), have been well understood and readily adopted into many perceived "high risk" applications. However, in both the installed base of control systems as well as new deployments, many industrial networks still do not follow these principles.

Perhaps this is because many industrial engineers and operators have viewed cyber security as being relevant only for protection from intentional attacks from hackers. Most industrial cyber incidents are unintentional, and they don’t target only high-profile systems. Human error and device flaws can happen to anyone.

Defense-in-depth is as much about enhancing system reliability and resiliency as it is about security. As this realization spreads, the adoption of defense-in-depth practices will increase.

Good cyber security is an ongoing process. That means vigilance where users monitor communication systems for unusual activity or configurations changes and investigate alterations and anomalies. Get started on better cyber security today and make it a focus area for continuous improvement.

Heather MacKenzie is with Tofino Security, a Belden company; Jeff Lund is responsible for Belden’s product initiatives related to the Industrial Internet of Things (IIoT). This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, cvavra@cfemedia.com.